[MDEV-5321] Calling mysql_library_end accesses freed memory; dumps memory to display Created: 2013-11-20  Updated: 2014-01-29  Due: 2013-12-04  Resolved: 2013-11-25

Status: Closed
Project: MariaDB Server
Component/s: None
Affects Version/s: None
Fix Version/s: 5.5.35

Type: Bug Priority: Major
Reporter: Vilho Raatikka Assignee: Alexey Botchkov
Resolution: Fixed Votes: 0
Labels: None
Environment:

Linux linux-yxkl.site 3.7.10-1.16-desktop #1 SMP PREEMPT Fri May 31 20:21:23 UTC 2013 (97c14ba) x86_64 x86_64 x86_64 GNU/Linux

OpenSuse 12.3


 Description   

Valgrid reports:

==25335== Invalid read of size 4
 
==25335==    at 0x7B4C25A: pthread_rwlock_wrlock (in /lib64/libpthread-2.17.so)
 
==25335==    by 0x669BDEF: inline_mysql_rwlock_wrlock (mysql_thread.h:817)
 
==25335==    by 0x669F24F: openssl_lock(int, CRYPTO_dynlock_value*, char const*, int) (mysqld.cc:4044)
 
==25335==    by 0x669F1CC: openssl_lock_function(int, int, char const*, int) (mysqld.cc:4027)
 
==25335==    by 0x5BDB7DA: ??? (in /lib64/libcrypto.so.1.0.0)
 
==25335==    by 0x5BDBA58: ??? (in /lib64/libcrypto.so.1.0.0)
 
==25335==    by 0x5BDC3F9: ERR_remove_thread_state (in /lib64/libcrypto.so.1.0.0)
 
==25335==    by 0x695CC19: vio_end (vio.c:316)
 
==25335==    by 0x669226F: mysql_server_end (libmysql.c:211)
 
==25335==    by 0x406798: libmysqld_done (gateway.c:173)
 
==25335==    by 0x7D94F60: __run_exit_handlers (in /lib64/libc-2.17.so)
 
==25335==    by 0x7D94FE4: exit (in /lib64/libc-2.17.so)
 
==25335==  Address 0x8330600 is 64 bytes inside a block of size 2,624 free'd
 
==25335==    at 0x4C2AF6C: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
 
==25335==    by 0x5B5EBAC: CRYPTO_free (in /lib64/libcrypto.so.1.0.0)
 
==25335==    by 0x669D2EC: clean_up_mutexes() (mysqld.cc:1934)
 
==25335==    by 0x66A4072: end_embedded_server (lib_sql.cc:628)
 
==25335==    by 0x6692265: mysql_server_end (libmysql.c:208)
 
==25335==    by 0x406798: libmysqld_done (gateway.c:173)
 
==25335==    by 0x7D94F60: __run_exit_handlers (in /lib64/libc-2.17.so)
 
==25335==    by 0x7D94FE4: exit (in /lib64/libc-2.17.so)
 
==25335==    by 0x7D7EA1B: (below main) (in /lib64/libc-2.17.so)

end_embedded_server calls clean_up_mutexes, which frees memory of mutexes. The next call in mysql_server_end calls vio_end under which one of the freed mutexes is accessed.

 Comments   
Comment by Alexey Botchkov [ 2013-11-24 ]

Patch proposal:
http://lists.askmonty.org/pipermail/commits/2013-November/005715.html

Should also fix https://mariadb.atlassian.net/browse/MDEV-5311.

Comment by Daniel Bartholomew [ 2014-01-29 ]

http://bazaar.launchpad.net/~maria-captains/maria/5.5/revision/3987

Generated at Thu Feb 08 07:03:23 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.